top of page
Search
  • Writer's pictureTim Burns
    • Mar 4, 2021
    • 1 min read

When a Secret is No Longer a Secret

Least Privilege on Shared Systems

Photo by Ben White on Unsplash


Extending secure access on a heterogeneous system can be complex. One component of the system may have access to a secret, but another may not. And, of course, when a secret gets out, it isn't a secret anymore.


I'm designing a secret system on a third-party data integration tool and I ran across this article.



Important takeaways:


  • Encrypt secrets

  • Without giving containers and services an identity, it is not possible to protect and restrict access to secrets with access control policies

  • Give identity to only the project that needs the resource, not the whole environment

  • Use ephemeral resources to pass secrets (like environment variables)

  • Give the ephemeral resources hard-to-guess names - MY_SECRET:(some md5 hash)

  • Keep track of who knows your secrets




11 views0 comments

Recent Posts

See All

Carto, Snowflake, and Data Management

A basic principle of data management: Don't move data unless you have to. Moving data is expensive and error-prone. Data Egress Cost: How To Take Back Control And Reduce Egress Charges Archiving to S

bottom of page